This was discovered after a staff techie over at the Electronic Frontier Foundation, Yan Zhu, noticed that the WordPress servers were sending an important browser cookie in plain text, without any type of encryption layer. While this may seem like common security practice, it looks like this may have slipped through the cracks at WordPress.
If this particular cookie is transmitted without encryption, then it can easily be intercepted and hijackers can gain access to the WordPress blogs, post messages, delete content, change things however they want. The one thing that wasn’t possible was to change passwords, since that is dependable on another cookie that is actually encrypted.
Zhu has really managed to do all these things. She grabbed the cookie from her own account like a hacker would, pasted it into a new browser profile and went to WordPress where she wasn’t even prompted to log in, despite the fact that two-factor authentication was enabled for the account.
WordPress admitted to the security problem and promised an update in the near future. However, the company mentioned that the cookie could only be used until it expired. Considering that it actually remains valid for three years, that’s not really a solution.
As mentioned, a fix for the issue will be included in the next WordPress update. Thankfully, however, WordPress sites that are hosted individually on a server with HTTPS support are not vulnerable as long as the added security layer is enabled for each page.
Either way, everyone should refrain from accessing WordPress accounts via open WiFi spots.
This is a serious security vulnerability for WordPress and if someone meant to do harm, this would be easy. It’s surprising that this issue was overlooked by the team at WordPress, especially since encryption has been a particularly hot topic in recent months, mostly due to the NSA scandal.